Closed Bug 1425826 Opened 3 years ago Closed 3 years ago

[Static Analysis] Dereference of null return value in BinASTParser::parseBlockStatementAux

Categories

(Core :: JavaScript Engine, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox59 --- fixed

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1426305)

Attachments

(1 file)

A possible null pointer dereference can occur in the following context:

>>    // In case of absent optional fields, inject default values.
>>    if (!body)
>>        body = factory_.newStatementList(tokenizer_->pos());
>>
>>   MOZ_TRY_VAR(body, appendDirectivesToBody(body, directives));


I think we can avoid this by packing | newStatementList | call with TRY_DECL.
Comment on attachment 8937418 [details]
Bug 1425826 - prevent null pointer dereference in BinASTParser::parseBlockStatementAux.

https://reviewboard.mozilla.org/r/208092/#review214458

r=me with the one comment addressed.

::: js/src/frontend/BinSource.cpp:338
(Diff revision 1)
>          }
>      }
>  
>      // In case of absent optional fields, inject default values.
>      if (!body)
> -        body = factory_.newStatementList(tokenizer_->pos());
> +        TRY_DECL(body, factory_.newStatementList(tokenizer_->pos()));

This seems like it would be a syntax error. Does it compile?

I think it needs to be `TRY_VAR` instead of `TRY_DECL`.
Attachment #8937418 - Flags: review?(jorendorff) → review+
Priority: -- → P1
Pushed by bpostelnicu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4d07f50ba637
prevent null pointer dereference in BinASTParser::parseBlockStatementAux. r=jorendorff
https://hg.mozilla.org/mozilla-central/rev/4d07f50ba637
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.